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Abstract 


As part of the Detecting Intrusions at Layer ONe 
(DILON) project, we show that Ethernet devices can be 
uniquely identified and tracked—using as few as 25 Ether- 
net frames—by analyzing variations in their analog signal 
caused by hardware and manufacturing inconsistencies. An 
optimal detector, the matched filter, is utilized to create sig- 
nal profiles, which aid in identifying the device the signal 
originated from. Several non-traditional applications of the 
filter are presented in order to improve its ability to dis- 
criminate between signals from seemingly identical devices 
of the same manufacturing lot. The experimental results of 
applying these filters to three different models of Ethernet 
cards, totaling 16 devices, are presented and discussed. 

Important applications of this technology include intru- 
sion detection (discovering node impersonation and net- 
work tampering), authentication (preventing unauthorized 
access to the physical network), forensic data collection (ty- 
ing a physical device to a specific network incident), and 
assurance monitoring (determining whether a device will 
or is in the process of failing). 


1. Introduction 
1.1. Network access control 


Current network access control (NAC) mechanisms rely 
exclusively on the use of digital tokens or identifiers— 
usernames and passwords, MAC addresses, SSL certifi- 
cates, WEP/WPA keys, etc—to prevent unauthorized ac- 
cess. Unfortunately, even strong tokens and identifiers, such 
as SSL certificates, by their purely digital nature, can be dis- 
cretely copied if improperly secured, and put to use by ma- 
licious users. Even worse, popular weak identifiers, such 
as MAC addresses, may be easily obtained through pas- 


sive network monitoring, and spoofed through the use of 
a programmable network card. In contrast, the analog char- 
acteristics of a device are nearly impossible to obtain (a 
measurement cannot be done without physical access to the 
medium) and duplicate, which makes them well-suited for 
NAC purposes. 

In the digital age, the physical layer is often regarded as 
a security impediment, or, at best, overlooked as a source 
of solutions for today’s security needs, because of its non- 
digital nature. The instinctive reaction to the physical layer 
has been to focus on securing the layers above it, through 
the use of encryption, so that some level of authentication 
is necessary for access to it. These methods often prove in- 
trusive to the end-user; forcing them to remember forever- 
changing and arcane keys, configure troublesome access 
clients, or keep track of yet another access token. Clearly, 
a non-intrusive method, which compliments existing access 
control methods, is needed to control access to the network 
infrastructure. We believe that DILON technology can ful- 
fill this need. 


1.2. The DILON concept 


The DILON project investigates the use of analog and 
digital characteristics of digital devices for such secu- 
rity purposes as intrusion detection, authentication, foren- 
sic data collection, and assurance monitoring. DILON is 
founded upon the belief that hardware and manufactur- 
ing inconsistencies cause minute and unique variations in 
the signaling behavior of every digital device; furthermore, 
these variations are manifest by use of the appropriate sig- 
nal processing technique(s). Central to the security of this 
concept is the belief that these slight variations are difficult, 
if not impossible, to control and duplicate. This assumption 
is founded upon knowledge of the variable tolerances of de- 
vice components, which are introduced in the design and 
fabrication processes, used in the construction of digital de- 
vices. These tolerances allow for unpredictable variations 


in the overall electrical operation of the device. Simply put, 
because of these variations, no two devices may be made 
exactly the same, and hence their analog signal characteris- 
tics cannot be made the same, without substantial reverse- 
engineering beyond the reach of all but the most determined 
attackers. 

Figure | presents a system-level diagram for an imple- 
mentation of DILON technology. On the top of the dia- 
gram are subject devices that communicate over a physical 
medium—wired or unwired—to connect with a controlled 
device, a switch or access point for instance. At the control 
device an analog tap is used in conjunction with an analog- 
to-digital converter (ADC) to sample the electrical signals 
arriving across the medium, at a much higher rate and with 
greater resolution than is necessary to actually decode the 
signal. Storage will also be required for past and present 
fingerprints. A policy engine will make use of a compari- 
son module to determine which devices have access to the 
network, as well as issue reports concerning the state of the 
network. 

The present approach for DILON focuses on making 
use of a matched filter to create profiles of signals that are 
useful in identifying the device the signal originated from. 
We have found that a traditional matched filter is sensitive 
enough to easily discriminate between signals produced by 
different model Ethernet cards. Using advanced techniques, 
a matched filter, applied in non-traditional ways, can be 
made to discriminate between Ethernet cards of the same 
model—even when each component of these cards pos- 
sesses the same serial numbers, and appear to come from the 
same manufacturing lot. We have also developed adaptive 
methods that accurately track fluctuations in signals due to 
device aging, voltage variations, and temperature changes. 
These methods provide realistic and consistent false-accept 
and false-reject rates (FAR and FRR). 


1.3. Previous work 


Signal detection and identification was one of the ma- 
jor challenges in the research and development of radar and 
wireless communication systems for a greater part of the 
20th century. In particular, identification of radar, radios, 
and various wireless communications became a very impor- 
tant and popular topic around the time of World War IT [13]. 
Most methods developed for radar identification at this time 
were based upon transient analysis. As higher frequency 
and faster responding circuits were introduced, more in- 
depth transient analysis became necessary for transmitter 
identification. To this day, many researchers are making use 
of transient methods for the identification of modern trans- 
mitters [3, 25, 1, 9, 10, 4, 17, 5]. However, these methods 
have only proven successful in situations when the trans- 
mitters under consideration were considerably different. 


To date, a robust, reliable, and adoptable system for 
transmitter characterization has yet to be devised to effec- 
tively handle multiple transmitters in interconnected sys- 
tems. While frequency based classification models have 
been suggested [11, 12, 15, 14, 20], and other general rules 
for identification have been suggested [6, 24], each is lim- 
ited to discriminating between different brands and systems. 
As traditional methods cannot adequately identify similar 
devices, they will not be able to guarantee the privacy, secu- 
rity, and integrity of sensitive information necessary to med- 
ical, legal, governmental, and security management firms. 


It should be noted that a similar problem was addressed 
by cellular phone companies to combat cloning [23, 19, 18]. 
However, due to propriety nature of their work, there is very 
little published on their methodology. From what can be 
determined from the limited literature available, these meth- 
ods do not have a high success rate in discriminating signals 
from similar sources. 


Recently, work in the development of physical authenti- 
cation schemes has led to the creation of a physical token 
that implements a physical one-way function, which is ver- 
ified using a statistical hashing algorithm [22]. Our work is 
different from [22] in that we rely on the inherent physical 
variation introduced as part of the manufacturing process, 
and do not require extra variation to be explicitly added to 
the devices for such purposes. 


A more closely related physical authentication system 
was introduced in [8, 7]. Gassend et. al investigated the 
identification of integrated circuits based upon the indirect 
measurement of their timing characteristics. In contrast, our 
method focuses on examining the spectral characteristics 
across the operating bandwidth of the device. Additionally, 
our work shows that the signaling characteristics of network 
devices appear to be more amenable to identification than 
integrated circuits, as we have been able to identify a greater 
number of devices. 


Finally, recent work has investigated the possibility of 
remotely fingerprinting devices over the Internet by mea- 
suring their clock skew [16]. This method shows promise; 
however, accurate identification seems to require 36 hours 
of observation, where packets are received from the remote 
host at a rate of 46 packets per hour. The efficacy of this 
method is difficult to measure, as the authors do not report 
their results in terms of false-reject and false-accept rates. 


2. Background 


The concepts of systems, signals, filtering, and related 
terminology and tools are discussed. The matched filter op- 
eration is defined. 
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Figure 1. Functional view of a NAC system incorporating DILON technology. 


2.1. Signals and systems 


A system is a process by which an input signal is trans- 
formed to produce an output signal; furthermore, a system 
is said to be linear time-invariant (LTT) if the system is both 
additive and multiplicative, and a time shift of the input re- 
sults in a corresponding time shift in the output. It can be 
shown that the response, or output, of an LTT system to all 
inputs can be completely described by determining the sys- 
tems unit impulse response [21]. For our purposes, the unit 
impulse response, or transfer function, of a system in the 
time domain will be denoted by h(t). The response of a sys- 
tem, y(t), to a particular input, x(t), can be found by con- 
volving the transfer function of the system with the input 
signal. The convolution operation, denoted by x, between 
h(t) and x(t) is defined as: 


+oo 


y(t) = h(t) « x(t) = [nt — 7)a(r)dr 


—Co 


(1) 


By taking the Fourier Transform of the input signal, de- 
noted by F{x(t)} = X(w), and the transfer function, de- 
noted by .F{h(t)} = H(w), the convolution operation de- 
fined in (1) may be replaced by multiplication: 


(2) 


It should be noted that (2) gives the frequency response 
of a system, whereas (1) gives its time-domain response. 
Of course, these responses are related through the inverse- 
Fourier and Fourier Transforms, respectively. 


2.2. Filters 


A filter may be regarded as a special kind of system, 
where the relative amplitudes and phases of the frequency 


components of an input signal are modified, or eliminated. 
As the filter discussed in this paper is LTI, we may describe 
its response via a transfer function. In turn, this transfer 
function may be used in conjunction with either (1 or 2) to 
determine the response of the filter to an input signal. 


2.3. The matched filter 


The matched filter is said to be an optimal detector, as it 
can be shown that the filter maximizes the signal-to-noise 
ratio of a known input signal in additive white Gaussian 
noise (AWGN). [2]. The transfer function of the matched 
filter, in the frequency domain, at sampling time t) may be 
stated as: 

A*(w) 
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H(w) = exp (3) 
where A*(w) is the complex conjugate of the Fourier Trans- 
form of a known time-domain signal a(t), P(w) is the 
power spectral density (PSD) of the noise associated with 
an input signal, and « is an arbitrary constant. By select- 
ing an appropriate value of « for the operating environment, 
and assuming AWGN for the PSD, P(w) may be eliminated 
from (3). For a given input signal, 3(¢), the output of the 
filter, M/,,, at sampling time to, in the Gaussian noise case 
is then: 


Mi. = H(w)B(w) = A*(w) exp?" Bw) (4) 


where B(w) is the Fourier Transform of the time-domain 
input signal ((t). 

Taking the inverse Fourier Transform of (3) gives the 
transfer function of the filter, h(t), in the time-domain, for 
the AWGN case, as: 


h(t) = a(to — t) (5) 


It can be shown that the output of the filter is maximized 


when: 


Mi = he) KAS / a(n)B(ndr 
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where T’ is the period of the known time-domain signal 
a(t). 

As can be seen from (6), the matched filter operation 
may be interpreted as the inner-product of two signals, or 
an integrated-correlation. 


3. Signal identification 


We describe how the matched filter may be used to create 
a signal profile useful for identifying a signal’s device of 
origin. 


3.1. Signal selection rationale 


This work focuses on the profiling of 1OMb wired Eth- 
ernet signals. We chose to study 10Mb Ethernet because of 
the relative simplicity of the electronic devices and signal- 
ing involved, and its operation at low speeds. As the elec- 
tronics and signaling are less complicated than higher-speed 
systems, we were able to understand the functioning of the 
devices, and identify common behavior between devices of 
different makes, which aided us in hypothesis creation and 
testing while attempting to identify differences and similar- 
ities in signals. In addition, capturing accurate samples of 
10Mb Ethernet frames may be accomplished using lower 
resolution, slower, and therefore less expensive ADCs. 

Wired Ethernet was chosen due to the low noise environ- 
ment inherent in wired systems. Environmental noise adds 
a stochastic and non-stationary component to the signal that 
must be minimized as much as possible to obtain consis- 
tent measurements. On the other hand, noise characteristics 
of an individual device, or component from a device, may 
exhibit distinguishing characteristics. 

Finally, we believed that if we should fail in discriminat- 
ing LOMb Ethernet signals, we would have little chance of 
succeeding in the high-speed wired and wireless domains. 
However, we should also note that in some respects profil- 
ing 1OMb Ethernet signals may be viewed as a more diffi- 
cult problem than that of higher-speed systems: there are 
fewer components per device, and hence less opportunity 
for signal variability due to perturbation by device compo- 
nents. 


3.2. Identifying a common signal 


In order to create a profile of the signal characteristics 
for an Ethernet device, a portion of the frame preamble 


common to all devices was identified. At the beginning of 
each frame a 64-bit sequence of alternating ones and ze- 
ros, encoded using differential Manchester encoding with a 
fundamental frequency of 5MHz, ending with the sequence 
IO1010I1 are sent to synchronize the receiver of the desti- 
nation device to the transmitter of the source device (Figure 
2). 

This synchronization signal consists of a transient, or 
turn-on, portion (denoted by ’- . - . -’ in Figure 2), which 
is the result of the transmitting circuitry of the sending de- 
vice powering on, as well as a steady state portion (denoted 
by ’----- > in Figure 2) that serves as the actual synchro- 
nization signal. 

As mentioned earlier, most work in signal identification 
has traditionally focused on the transient portion of a sig- 
nal. However, as the transient signal in 10OMb Ethernet is so 
small, in terms of the number of wavelengths of the over- 
all signal, we do not believe that there is physically enough 
information contained in it for the identification of similar 
devices. Indeed, it has been shown in the literature that tran- 
sient analysis is sufficient only for distinguishing between 
devices of different models, but not devices of the same 
model. As such, our methodology relies primarily upon the 
steady-state portion of the signal for profiling purposes. 

The final portion of the Ethernet frame shown in Figure 
2 (denoted by’..... ”) is the beginning of the MAC address 
of the receiving device. Preliminary work with this portion 
of the signal has shown that it may be possible to use the 
MAC source address for signal profiling. 


3.3. Matched filter creation 


Having identified a common and repetitive portion of the 
Ethernet signal suitable for identification purposes, an exact 
starting position and period of the portion of the signal to be 
matched to must be chosen. We call this part of the signal 
the reference signal, and choose it to represent the known 
time-domain signal a(t). As per (5), the reference signal 
must be reversed in the time-domain, and shifted by to to 
be used as the filter. In this respect tg may be regarded as 
the final time point of the reference signal. 

Initially, the period and position of the reference signal 
were chosen as an arbitrary number of points spanning the 
length of the synchronization signal. For 10Mb Ethernet, 
we have found this acceptable to distinguish between all but 
the most similar of signals; however, we have also devel- 
oped algorithms to determine the optimal reference signal 
for a set of known devices. This type of reference selection 
would be useful during a training period, where sample data 
could be taken for a new device introduced on the network, 
and compared to previously collected data of other devices. 
For a general study of the matched filter, however, we have 
selected a reference signal that includes the preamble tran- 
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Figure 2. The Preamble of an Ethernet frame used for signal profiling. 


sient and steady-state portion of the synchronization signal, 
which is the same, to within five sample points, for each 
device. While optimally determining a reference signal for 
a device, in relation to other known devices, may increase 
performance, our experiments have shown that it is not gen- 
erally necessary to do so. 


3.4. Signal profile 


The first step in creating a signal profile is to apply the 
filter to the signal used to create it; i.e., convolve the filter 
with the portion of the signal used for the selection of the 
reference signal. The filter returns a single value from this 
operation that serves as a baseline. This value represents the 
filter response when a perfect match is made between the 
filter and the original signal. If another signal is exactly the 
same as the original, then we expect that applying the filter 
to this signal will produce the same value. In general then, 
applying the filter to a signal produces a measurement of the 
closeness of the signal to the original, and consequently the 
alikeness of the devices the signals were acquired from. If 
a signal from a different device approaches the filter output 
value for the original signal too closely then we are unable 
to distinguish it from the device that produced the original. 

Due to the noise inherent in any system, we cannot as- 
sume that even a properly functioning device will output 
exactly the same synchronization signal for each frame. 
Noise from surrounding devices, created by a hard disc or 
CD-ROM being accessed or variations in system load, and 
thermal noise assuredly cause slight variations in the sig- 
nal from frame to frame. In fact, with the aid of temper- 
ature recording equipment we have been able to correlate 
aberrations in the filter output to variations in the ambient 
temperature of the lab. Furthermore, due to the non-ideal 
properties of the Ethernet cabling—parasitic resistance, ca- 


pacitance, and inductance—even the act of measuring the 
signal on a different portion of the Ethernet cabling, or using 
a different cable altogether, may affect the measured signal. 
This affect, however, gives rise to the interesting possibility 
of detecting passive taps on the line, which often change the 
effective material parameters of the medium. 

To take into account the inherent variability of every de- 
vice’s output, as well as external factors such as temperature 
and system load variations, a signal profile must be created 
by using a collection of signals taken over a period of time. 
The filter created by the original signal is applied to this col- 
lection of signals and the response to each recorded (Figure 
3). We have found that only 25 sequentially sampled signals 
are necessary to adequately determine the unique signaling 
behavior of a device. 
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Figure 3. Filter output for 25 frames of an Eth- 
ernet device. 


By examining the filter response for a device over a num- 
ber of hours, we have determined that a device’s synchro- 
nization signal is under continuous change. In many cases, 
we have discovered that slight variations in the amplitude of 
the signals are the cause of this variation. A subtle change 
in signal shape, over a period of hours, also changes the 


filter response. By using the average of several synchro- 
nization signals for the reference signal we have been able 
to decrease the variation of the filter response; however, this 
often leads to a corresponding increase in the FAR. 

In order to account for these changes in signal character- 
istics over time, we have introduced a tolerance, 6, for the 
maximum amount of deviation in filter response acceptable 
before a signal is labeled as too different from the original. 
In order to take into account past behavior, we require that 
the next n-frames resemble the previous n-frames, +6. In 
this way a device may be adaptively tracked as its signal 
changes over time. Mathematically, this is stated by defin- 
ing two thresholds for the maximum amount of positive, 
th,, and negative, th_, deviation in filter output allowed 
over the previous n-frames: 


thy (Mi ae Hitn-1) = max({j—1 aes Hi-n)(1 a ) (7) 
th_ (ui +++ Mit¢n—1) = min("i-1--- fin) (1 — 4) 


where ju; represents the filter output of the i” frame. We 
have found that setting n equal to the number of samples 
used to learn the behavior of a device proves adequate for 
tracking the signal over time. 

During our experiments the filter output for the first 25 
frames of a device were used as training data, whereby an 
appropriate value for 6 would be determined by stipulating 
that zero false-rejects would occur for the next 25 filter out- 
puts. A minimum value of .001 for 6 was imposed, and in- 
cremented by .001 until the aforementioned condition was 
met. After observing a device’s behavior over time the value 
of 6 can be adjusted to better fit the unique behavior of the 
card. We have also found that large, spurious, deviations 
do occur for all Ethernet devices, so a perfect acceptance 
rate cannot be obtained—unless one is willing to allow a 
certain number of significant deviations every n-frames, or 
set 6 unreasonably high. As with any system with statistical 
variation, a balance must be found for 6 that results in an 
acceptable number of false-accepts and false-rejects. 


3.5. Variations on the matched filter method 


To further improve the efficacy of our method, we have 
devised several variations on the procedure outlined above 
to improve our ability to discriminate between highly sim- 
ilar devices. Each of these techniques works to amplify 
slight differences in signal characteristics that are too sub- 
tle to be distinguished by the original method. The impe- 
tus of this work was based upon the observation that as 
the matched filter operation is a sum of products, large- 
scale similarities between signals can often overshadow the 
small-scale differences useful for signal profiling. 


3.5.1. An ensemble of filters. For a given device, mul- 
tiple matched filters may be created by selecting a refer- 


ence signal for each portion of the preamble identified in 
Section 3.2. Matching filters to the transient, steady-state, 
and source MAC address sections of the frame gives a full 
characterization of the broad traits of a signal. An ensem- 
ble of filters is utilized, instead of a single large filter, so 
that strong similarities in certain regions of the signal can- 
not overshadow smaller differences in others. 


Selecting multiple reference signals for each section of 
the signal may also highlight slight differences; e.g., each 
transition, or pair of transitions, of the synchronization sig- 
nal could be matched to different filters. In such a way the 
granularity of filtering could be arbitrarily increased to take 
into account the smallest of differences. 


3.5.2. Bandpass filtering. By analyzing the spectrum of 
signals from a multitude of similar devices, we have found 
that distinguishable differences exist in the frequencies be- 
yond the fundamental frequency of the synchronization sig- 
nal; however, as the fundamental frequency dominates other 
frequency components, in terms of relative power, these dif- 
ferences are often obscured. Applying a bandpass filter to 
the reference signal and signal samples minimizes the influ- 
ence of the fundamental frequency on the filter response by 
removing that portion of the signal altogether. 

Through experimentation, by use of several bandpass fil- 
ters with increments of 1MHz in bandwidth, we have de- 
termined that, for some devices, the 13-17MHz frequency 
range exhibits the greatest variation. As the power levels of 
frequency components beyond 17MHz approach that of the 
noise level, we have found frequencies higher than 17MHz 
ill-suited for discriminatory purposes. 


3.5.3. Normalization. Normalizing both the reference sig- 
nal and signal samples, according to the Euclidean norm, 
desensitizes the matched filter to similarities in shape, and 
increases its sensitivity to variations in amplitude. This 
proves advantageous for discriminating between signals 
where the differences exist primarily in their relative ampli- 
tudes. However, if the amplitudes of two signals are closely 
matched, while their shapes are not, this form of normal- 
ization will decrease our ability to distinguish between the 
two. 


3.5.4. Trimming. The concept of time-domain trimming 
was developed in order to minimize the affect of the sig- 
nal amplitude on filter response. By eliminating amplitude 
dominance, variations in the shape of the signal are made 
apparent. Analogous to the frequency domain trimming 
used in bandpass filtering, time-domain trimming removes 
the portions of a signal that tend to overshadow all others 
by zeroing the signal amplitude for values greater than a 
predetermined upper bound. By adding a lower bound, and 
varying the height of each boundary accordingly, a window 


is created that allows for any portion of the signal to be scru- 
tinized by its shape alone. 

For example, by only setting an upper bound, the zero- 
crossings—where the signal crosses the horizontal axis—of 
a signal may be examined in order to ensure that the width 
of a signal matches that of the filter. We have found that 
time-domain trimming is most effective when only the sig- 
nal samples are trimmed. 


4. Experimental results 


The equipment and methods used to acquire the Ether- 
net signals for analysis are given. Methods for calculating 
the FAR and FRR are discussed. Finally, the results of the 
matched filter approach to signal profiling are given. 


4.1. Experimental setup 


Our current testbed consists of two PCs running GNU 
Linux; one to act as the Test PC (TPC), which houses the 
Ethernet card we wish to fingerprint, while the other, the 
Data Acquisition PC (DAQPC), makes use of a Tektronix 
3052 digital sampling oscilloscope, interfaced via an IEEE 
488 card and Labview-6, connected to a passively tapped 
internal Ethernet card, to capture Ethernet frames sent to it 
over a crossover cable by the TPC. 

In order to generate traffic for the DAQPC to capture, the 
TPC is instructed to ping the DAQPC. During a typical data 
acquisition period the TPC will ping the DAQPC 10,000 
times. To ensure that only traffic from the TPC is captured, 
only the receiving pins of the DAQPC’s Ethernet card have 
been connected to the oscilloscope. In this way we are able 
to allow the DAQPC to respond to the TPC’s pings, and 
ensure that the data acquisition process hasn’t caused any 
packet loss. 

Upon detection of an Ethernet frame the oscilloscope be- 
gins to sample the signal at a rate of 1Gigasamples/s. The 
signal is sampled 10,000 times, for a total of 10 micro- 
seconds, with 8-bits of resolution. The data collected during 
sampling is sent to the DAQPC via the IEEE 448 interface, 
where a custom Labview routine monitoring the interface 
accepts the data and stores the values in a vector we call a 
record, which is subsequently written to the disc. Each cap- 
tured frame is stored in its own record; all of the records col- 
lected for a device during a session encompass its dataset. 


4.2. Filter application 


Having acquired several thousand signal samples from 
each device over a number of hours, we then create a fil- 
ter for each of the devices using the procedure outlined in 
Section 3.3. The reference signal for each device has a pe- 
riod of 4,176 sample points, and is selected from the first 


valid record of a device’s dataset. Following this, the ref- 
erence signal is convolved with each record of its dataset 
using an FFT-based convolution algorithm. Convolving the 
reference signal with each record of its dataset performs the 
matched filter operation for all possible time-shifts; conse- 
quently, an output is created that is equal in length to that of 
the length of the record. This operation is necessary to de- 
termine the time of optimal alignment, to, between the filter 
and the record, which results in the maximum filter output, 
as per (6). 

Thus, the filter output at the point of maximum align- 
ment corresponds to the maximum of the convolution op- 
eration. Letting €;(t) represent the reference signal for the 
i” device, and 7j(t) the j*” record of its dataset, the filter 
output, ji! (to), is then: 


pl (to) = max(e;(t) * 7! (t)) forj=1---n (8) 


where n is the number of records in the device’s dataset 
(Figure 4). This procedure is followed for each device in 
order to determine the filter response of each record in its 
dataset. 

Having determined the filter output for each record of its 
own dataset, we then apply the filter to each record of the 
other device’s datasets in order to determine the alikeness 
of their respective signals (Figure 5). Letting 7 ,.(to) rep- 
resent the filter output using the i*” device’s filter applied to 
the k’” device’s dataset: 


1} (to) = max(e;(t) * nih (t)) forj=1---n (9) 


As can be seen from Figure 5, the respective filter out- 
puts of Device i and Device k do not overlap. Following the 
explanation set forth in Section 3.4., we are therefore able 
to discriminate between Device i and Device k. 


4.3. Acceptance testing 


Following the procedure set forth in Section 3.4., a value 
for 6 can be determined that is expected to provide an ac- 
ceptable FRR (less than .009 in our experiments). Using the 
response of the filter for the i*” device to the 26th through 
50th records of its own dataset, ?°""°°(to), as training data 
in conjunction with (7), thresholds can be established for 
the next 25 filter outputs. If the filter response for one of 
the next 25 records lies outside of the bounds set by these 
thresholds then its corresponding record is marked as re- 
jected, and is not used in determining the thresholds for the 
next 25 outputs. This procedure is followed for the remain- 
der of the filter responses in the device’s dataset. The FRR 
is then calculated using: 

n 


FRR = —— 1 
RR = —— (10) 
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Figure 4. Filter output for 10,000 records of an Ethernet device. 


Filter Output (Volts?) 


iy Device i uit) ] 


o «Device k[ Yiglty) ] 


! ! 
1000 2000 3000 4000 


5000 6000 7000 8000 9000 10000 
Record 


Figure 5. Filter output for 10,000 records of two different Ethernet devices using the same filter. 


where 7, is the number of rejected records and n is the num- 
ber of total records. 


4.4, Intrusion testing 


Whereas it is possible to determine the FRR by sequen- 
tially applying (7) to each of the next 25 filter outputs, the 
FAR may not be determined in such a sequential manner, 
as it cannot be known where to begin comparing the output 
of the i*” device’s filter applied to the k’” device’s dataset. 
Simply comparing the distributions of the filter output for 
the two cases would also produce an inaccurate FAR, as 
the filter output for each device is changing in time, and 
it would not be unreasonable to assume that at a particular 
point in time one device will have the same filter response 
as another device at a different point in time (Figure 6). 

Thus, to calculate an accurate FAR, we assume that the 
filter response for each record of the k‘” device’s dataset us- 


ing the i*” device’s filter, y};" (to), where n is the number 
of records in a dataset, is equally likely. Based upon this 
assumption, random numbers between one and n are gener- 
ated to serve as an index used in deciding the starting value 

of j, for the filter response 77 ,.(to). 
Using the first value of the index for 7, the next 24 fil- 
J-J+24(t)), are compared to the threshold 


ter responses, 7), 
values calculated for u}"'?°(tg) to check whether or not a 


a 


record from ae SFC ta) would be accepted as a record 
from pj*°(to). This procedure is followed for each 25 


record segment of ju?" (tg), where every 25 records a new 
value of 7 is chosen by taking the next value in the index. 
The total number of index values generated should then be 
n divided by 25. The FAR is then calculated using: 


Na 


FAR=— (11) 
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where 7, is the number of accepted records and n is the 
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Figure 6. Filter output for 10,000 records of two different Ethernet devices using the same filter, 
where at different times the filter output is the same. 


number of total records. 

This procedure is repeated 1,000 times, with new index 
values chosen for each iteration. The FAR for each iteration 
are then averaged to produce the total FAR. Repeated test- 
ing using this method has provided consistent values for the 
FAR. 


4.5. Results 


The results of the matched filter methodology for signal 
profiling are shown for 16 devices, consisting of a combina- 
tion of three different models, via a confusion matrix (Table 
1), which indicates the FRR and the FAR. The FRR may 
be deduced by subtracting the diagonal elements from one, 
while the FAR is simply the off-diagonal elements. Per- 
fect detection/rejection would result in a matrix where the 
diagonal is one and off-diagonal elements are zero. The 
FRR and FAR are reported for 10,000 records per dataset. 
The naming convention mXcY is utilized to denote card Y 
of model X. 

As can be seen from the table, the FRR is sufficiently 
low (less than 1%), for different model cards we have near 
perfect detection, while some cards of the same model are 
difficult to differentiate. By experimenting with different 
minimum and incremental values used in determining 6, we 
have found that minimum and incremental values of .001 al- 
low for too much variation in filter output. In fact, a slightly 
lower value of 6 for each card will result in a negligibly 
higher false-reject rate; completely eliminate nearly all col- 
lisions which occur with frequency less than 20%; decrease 
collisions which occur with frequency less than 80% by up 
to 30%; but have no affect on collisions which occur with 
frequency greater than 80%. In addition, by utilizing the 


techniques discussed in Section 3.5., we have been able to 
substantially reduce or eliminate most collisions. In partic- 
ular, bandpass filtering proved particularly effective in dif- 
ferentiating m6c3 from m5c3/7. Through the use of both 
bandpass filters and an ensemble of filters, we were also 
able to eliminate almost all of the intra-model collisions of 
m5cY and m6cY, respectively. Time-domain trimming and 
an ensemble of filters were also employed to dramatically 
reduce the number of collisions in m4cY, although perfect 
discrimination was not possible. 


5. Future work 


Several important issues regarding the variability of a de- 
vice’s analog signal require additional consideration. For 
example, under what conditions does the signal vary, how 
does device aging affect signaling characteristics, and how 
can a signal from a system that has lost and re-established a 
connection with the network be tracked? These questions, 
amongst others, provide a rich backdrop for future research. 

An immediate area of consideration is extending this 
work to include different networking systems. Initial work 
has already begun on attempting to profile 100Mb Ether- 
net signals. Preliminary results indicate that the aforemen- 
tioned techniques will be adequate for discriminating be- 
tween different model devices; however, a deeper investi- 
gation into the signaling characteristics of 1OOMb Ethernet 
devices may be required in order to provide accurate re- 
sults for devices of the same model. Work will also con- 
tinue in the 10Mb realm, as we try to create signal profiles 
for as many devices as possible. Other work includes ana- 
lyzing wireless signals from 802.11b, sensor networks, and 
RFID systems. Currently, we are attempting to optimize 


Table 1. Confusion matrix of 16 devices with 10,000 records per dataset 


Tested Card 
m4 m5 m6 

Expected Card cl c2 c3 cl c2 c3 c4 cS c6 c7 c8 c9 cl0 cl c2 c3 
m4cl 9961 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 
m4c2 0 .9965 | .8470 0 0 0 0 0 0 0 0 0 0 0 0 0 
m4c3 0 8988 | .9956 0 0 0 0 0 0 0 0 0 0 0 0 0 
m5cl 0 0 0 9969 | .9729 0003 0 0 0012 | .0002 0342 0 0 0 0 0 
m5c2 0 0 0 9290 | .9970 0) 0 0 0026 0 0626 0 0 0 0 0 
m5c3 0 0 0 0032 0 1.000 0 0 0 9982 0 0 0 0 0 0 
m5c4 0 0 0 0) 0 0 9999 0 0 0 0 0020 | .0017 0 0 0 
m5c5 0 0 0 0 0 0 0 9928 0 0 0 0 0 0 0 0 
m5c6 0 0 0 0184 | .0394 0 0 0 9999 0 9584 0 .7792 0 0 0 
m5c7 0 0 0 0003 0 9751 0 0 0 9940 0 0 0 0 0 0 
m5c8 0 0 0 0278 0751 0 0 0 8873 0 9957 0 1821 0 0 0 
m5c9 0 0 0 0 0 0 .0001 0 0 0 0 9932 0 0 0 0 
m5c10 0 0 0 0 0 0) 0004 0 3988 0 1518 0 9938 0 0 0 
mé6cl 0 0 0 0 0 0 0 0 0 0 0 0 0 9995 | .3489 0 
m6c2 0 0 0 0 0 0150 0 0 0 0490 0 0 0 3176 | .9992 | .1037 
m6c3 0 0 0 0 0 5769 0 0 0 7100 0 0 0 0 0857 | .9994 


the matched filter for the profiling of wireless signals. Ma- 
jor challenges include adjusting the sensitivity of the filter 
to handle fluctuations of amplitude. Possible solutions to 
this problem include signal normalization and equalization. 


6. Conclusion 


We have shown that the matched filter can be reliably 
used to build signal profiles that can be used to discrimi- 
nate between Ethernet cards of different models. By ap- 
plying the matched filter in non-traditional ways, we have 
also demonstrated that it is possible to discriminate between 
seemingly identical cards, which appear to have originated 
from the same manufacturing lot. Finally, we have demon- 
strated that the analog signal characteristics of Ethernet de- 
vices can be tracked, and are thus suitable for use in net- 
work access control schemes. The techniques used in eval- 
uating the effectiveness of the matched filter method have 
also been given. Future work will focus on applying our 
methods to the high-speed (1OOMb and 1Gb Ethernet) and 
wireless domains (802.1 1b, sensor networks, and RFID sys- 
tems), as well as exploring how device behavior changes 
due to environmental factors and aging. 
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